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IN THE CLAIMS 

Amended claims follow: 

1 . (Currently Amended) A system foT identifying a macro virus family using 
a macro virus definitions database, comprising: 

a macro virus definitions database comprising a set of indices and macro virus 
definition data files with each index referencing one or more of the macro virus definition 
data files and each macro virus definition data file defining macro virus attributes for 
known macro viruses that are each comprised of at least one macro, the sets of the indices 
and the macro virus definition data files being organized into a hierarchy according to 
macro vims families based on a type of application to which the macro applies; 

a parser parsing a suspect file into tokens comprising one of individual string 
constants and source code text and storing the tokens as suspect strings into a hierarchical 
parse tree, 

a macro virus checker comparing each suspect string to the macro virus attributes 
defined in the one or more macro virus definition data files for each macro virus family in 
the macro virus definitions database and determining each macro virus family to which 
the suspect string belongs from the index for each macro virus definition data file at least 
partially containing the suspect string; 

the macro virus checker parsing the macro virus attributes from one or more file 
objects and analyzing the macro virus definition data files by index for each macro virus 
family; and 

the macro virus checker iteratively retrieving each macro virus definition data file 
using the index for each macro virus family and providing the macro virus attributes 
defined in the retrieved macro vims definition data file; 

wherein the macro virus definitions database stores at least one of string constants 
and source code text common to each macro virus family in the macro virus attributes for 
the macro virus definition data files; and the macro virus checker compares each suspect 
string to the at least one of string constants and source code text in the one or more macro 
virus definition data files for each macro virus family; 
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wherein a parameter is utilized for specifying a threshold to matches of commonly 
shared at least one of string constants and source code text 

wherein the macro virus definition data files are indexed into the macro virus 
families categorized by a replication method employed: 

wherein the suspect string comprises part of the suspect file, the suspect file 
comprising a plurality of individual suspect strings; 

wherein the macro virus checker identifies the replication method common to the 
plurality of the individual suspect strings in the suspect file; 

wherein the macro virus checker identifies the macro virus family bv which the 
common replication method is indexed . 

2-11. (Cancelled) 

1 2. (Original) A system according to Claim 1 , further comprising: 

the macro virus checker resetting the index referencing one or more of the macro 
virus definition data files for at least one macro virus family and creating a new macro 
virus definition data file entry comprising an index referencing one or more macro virus 
definition files. 

13. (Original) A system according to Claim 12, further comprising: 

the new macro virus definition data file entry defining the macro virus attributes 
by storing at least one of a string constant and source code text. 

14. (Cancelled) 

15- (Previously Presented) A system according to Claim 1, further comprising: 
the macro virus checker cross referencing at least one of a string constant and 

source code text from the parsed macro file attributes against the macro virus attributes 

defined in the virus definition data files. 

16. (Cancelled) 
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1 7. (Currently Amended) A method for identifying a macro virus family using 
a macro virus definitions database, comprising: 

maintaining a macro virus definitions database comprising a set of indices and 
macro virus definition data files with each index referencing one or more of the macro 
virus definition data files and each macro virus definition data file defining macro virus 
attributes for known macro viruses that are each comprised of at least one macros 

organizing the sets of the indices and the macro virus definition data files into a 
hierarchy according to macro virus families based on a type of application to which the 
macro applies; 

parsing a suspect file into tokens comprising one of individual string constants 
and source code text and storing the tokens as suspect strings into a hierarchical parse 
tree; 

comparing each suspect string to the macro virus attributes defined in the one or 
more macro virus definition data files for each macro virus family in the macro virus 
definitions database; and 

determining each macro vims family to which the suspect string belongs from the 
index for each macro virus definition data file at least partially containing the suspect 
string; 

parsing the macro virus attributes from one or more file objects and analyzing the 
macro virus definition data files by index for each macro virus family; and 

iteratively retrieving each macro virus definition data file using the index for each 
macro virus family and providing the macro virus attributes defined in the retrieved 
macro virus definition data file; 

wherein the macro virus definitions database stores at least one of string constants 
and source code text common to each macro virus family in the macro virus attributes for 
the macro virus definition data files; and a comparison is performed between each 
suspect string and the at least one of string constants and source code text in the one or 
more macro virus definition data files for each macro virus family; 

wherein a parameter is utilized for specifying a threshold to matches of commonly 
shared at least one of string constants and source code text; 
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wherein the macro virus definition data files arc i ndexed into the macro virus 
families categorized bv a repli cation method employed; 

wherein the suspect string comprises p art of the suspect file, the suspect file 
comprising a plurality of individual susp ect strings,; 

wherein the re plication method common to the plurality of the indiv idual suspect 
strings in the suspect file is i dentified: 

wherein further included is an identification of the macro virus family by which 
the common replication method is indexed, 

18-27, (Cancelled) 

28. (Original) A method according to Claim 17, further comprising: 
resetting the index referencing one or more of the macro virus definition data files 

for at least one macro virus family; and 

creating a new macro virus definition data file entry comprising an index 
referencing one or more macro virus definition files. 

29. (Original) A method according to Claim 28, further comprising: 
defining the macro virus attributes for the new macro virus definition data file 

entry by storing at least one of a string constant and source code text. 

30. (Cancelled) 

3 1 . (Previously Presented) A method according to Claim 17, further 
comprising: 

cross referencing at least one of a string constant and source code text from the 
parsed macro file attributes against the macro virus attributes defined in the virus 
definition data files. 

32. (Cancelled) 
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33. (Currently Amended) A computer-readable storage medium holding code 
for performing the method according to Claims 17, 1 8 , 19, or 28. 

34. (Currently Amended) A system for identifying a macro virus family using 
a macro virus definitions database, comprising; 

a macro virus definitions database comprising a set of indices and associated 
macro virus definition data files, further comprising: 

one or more of the macro virus definition data files referenced by the 
associated index with each macro virus definition data file defining macro virus attributes 
for known macro viruses that are each comprised of at least cine macro; 

a hierarchy organized according to a macro family to which each of the 
sets of the indices and the macro virus definition data files belong based on a type of 
application to which the macro applies; 

a parser parsing a suspect file into tokens comprising one of individual string 
constants and source code text and storing the tokens as strings into a hierarchical parse 
tree; 

a macro virus checker comparing one or more strings stored in a suspect file to 
the macro virus attributes defined in the one or more macro virus definition data files for 
each macro virus family in the macro virus definitions database and determining the 
macro virus family to which the suspect file belongs from the indices for each of the 
macro virus definition data files at least partially containing the suspect file; 

the macro virus checker parsing macro virus attributes from one or more file 
objects and analyzing the macro virus definition data files by index for each macro virus 
family; and 

the macro virus checker iteratively retrieving each macro virus definition data file 
using the index for each macro virus family and providing the macro virus attributes 
defined in the retrieved macro virus definition data file; 

wherein the macro virus definitions database stores at least one of string constants 
and source code text common to each macro virus family in the macro virus attributes for 
the macro virus definition data files; and the macro virus checker compares a suspect 
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string to the at least one of string constants and source code text in the one or more macro 
virus definition data files for each macro virus family; 

wherein a parameter is utilized for specifying a threshold to matches of commonly 
shared at least one of string constants and source code text; 

wherein the macro virus definition data files are indexed in to the macro virus 
families categorized by a replication method employed; 

wherein the suspect string comprises part of the suspect file, the suspect file 
comprising a plurality of individual suspect strings; 

wherein the macro virus checker identifies the replication method c ommon to the 
plurality of the individual suspect strings in the suspect file; 

wherein the macro virus checker identifies the macr o virus family by 

which the common replication method is indexed . 

35. (Currently Amended) A system according to Claim 34, further 
comprising: 

each macro virus family defined according to [[a]]the replication method common 
to each of the macro virus definition data files associated with one such index. 

36 -37. (Cancelled) 

38. (Previously Presented) A system according to Claim 34, further 
comprising: 

the macro virus checker designating a minimum length of commonly shared 
string constants. 

39. (Currently Amended) A method for identifying a macro virus family using 
a macro virus definitions database, comprising: 

maintaining a macro virus definitions database comprising a set of indices and 
associated macro virus definition data files, further comprising: 
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referencing one or more of the macro virus definition data files by the 
associated index with each macro virus definition data file defining macro virus attributes 
for known macro viruses that are each comprised of at least one macro; 

organizing the sets of the indices and the macro virus definition data files into a 
hierarchy according to macro virus families based on a type of application to which the 
macro applies; 

parsing a suspect file into tokens comprising one of individual string constants 
and source code text and storing the tokens as strings into a hierarchical parse tree; 

comparing the strings to the macro virus attributes defined in the one or more 
macro virus definition data files for each macro virus family in the macro virus 
definitions database; 

determining the macro virus family to which the suspect file belongs from the 
indices for each of the macro virus definition data files at least partially containing the 
suspect file; 

parsing macro virus attributes from one or more file objects and analyzing the 
macro virus definition data files by index for each macro virus family; and 

iteratively retrieving each macro virus definition data file using the index for each 
macro virus family and providing the macro virus attributes defined in the retrieved 
macro vims definition data file; 

wherein the macro virus definitions database stores at least one of string constants 
and source code text common to each macro virus family in the macro virus attributes for 
the macro virus definition data files; and a comparison is performed between a suspect 
string and the at least one of string constants and source code text in the one or more 
macro virus definition data files for each macro virus family; 

wherein a parameter is utilized for specifying a threshold to matches of commonly 
shared at least one of string constants and source code text; 

wherein the macro virus definition data files are indexed i nto the macro virus 
families categorized by a replication method employed; 

wherein the suspect string comprises part of the suspect fi le, the suspect file 
comprising a plurality of individual suspect strings; 

wherein the replication method common to the plurality of th e individual suspect 
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strings in the suspect file is identified: 

wherein further included is an identification of the macro virus family by which 
the common replication method is indexed . 

40. (Currently Amended) A method according to Claim 39, further 
comprising: 

defining each macro virus family according to [[a]]the replication method 
common to each of the macro virus definition data files associated with one such index. 

4L-42 (Cancelled) 

43. (Previously Presented) A method according to Claim 39> further 
comprising: designating a minimum length of commonly shared string constants. 

44. (Previously Presented) A computer-readable storage medium holding code 
for performing the method according to Claims 39, or 40. 
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